EKS as a Foundational Platform
We first deploy the foundation for the cluster. The eks/cluster component deploys the EKS cluster with
EKS Auto Mode enabled. Auto Mode delegates compute,
networking, and storage management to AWS — node provisioning, load balancer management, and core addon lifecycle are
all handled automatically. We then deploy Karpenter Node Pools for any additional compute requirements beyond the
Auto Mode defaults. Next we deploy idp-roles to manage custom roles for the cluster, and deploy metrics-server
to provide access to resource metrics.
Then we connect the cluster to our network. First we must deploy the cert-manager component to provision X.509
certificates on the cluster. Then we deploy the eks/ingress-class component to configure the default Ingress class
for ALB-based routing. Next, we deploy external-dns which will look for annotations to make services discoverable,
and then create records in our Route 53 Hosted Zones mapping to the cluster. Finally we deploy echo-server to validate
the complete setup.
With EKS Auto Mode enabled, AWS automatically
manages the following addons: vpc-cni, kube-proxy, coredns, and aws-ebs-csi-driver. These do not need to be
deployed or upgraded manually. The aws-efs-csi-driver is not managed by Auto Mode and remains self-managed
via the eks/storage-class component.
Connecting to an EKS cluster requires a VPN connection! See ec2-client-vpn for details.
Depending on your application requirements we can also deploy a number of operators. The most common is the
efs-controller, which we use to provide encrypted block storage that is not zone-locked. Other operators are
optionally but often include the external-secrets-operator to automatically sync secrets from AWS SSM Parameter Store.
Monitoring and release engineering are handled separately from the components mentioned here, and we will expand of those implementations in follow up topics. For details, see the Monitoring and Release Engineering quick start documents.
Foundation
eks/cluster: This component is responsible for provisioning an end-to-end EKS Cluster with EKS Auto Mode enabled. Auto Mode automatically manages compute (node provisioning), networking (ELB), and storage (EBS CSI) — replacing the need for self-managed Karpenter controller and ALB controller components.eks/karpenter-node-pool: Deploys additional Karpenter Node Pools for workloads that require custom compute configurations beyond the Auto Mode defaults (e.g., GPU instances, specific instance families).iam-service-linked-roles: Provisions IAM Service-Linked roles.idp-roles: These identity provider roles specify several pre-determined permission levels for cluster users and come with bindings that make them easy to assign to Users and Groups. Use this component to define custom permission within EKS.metrics-server: A Kubernetes addon that provides resource usage metrics used in particular by other addons such Horizontal Pod Autoscaler. For more, see metrics-server.reloader: Installs the Stakater Reloader for EKS clusters.reloadercan watchConfigMapsandSecretsfor changes and use these to trigger rolling upgrades on pods and their associatedDeploymentConfigs,Deployments,DaemonsetsStatefulsetsandRollouts.
Network
cert-manager: A Kubernetes addon that provisions X.509 certificates.eks/ingress-class: Configures the default KubernetesIngressClassfor ALB-based routing. With EKS Auto Mode, AWS manages the ALB controller natively — this component only needs to define the ingress class and group configuration. It automatically detects whether Auto Mode is enabled via theeks/clustercomponent state.external-dns: A Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable. This component is responsible for adding DNS records to your Route 53 Hosted Zones.echo-server: The echo server is a server that sends it back to the client a JSON representation of all the data the server received. We use this component is validate a cluster deployment.
EKS Capabilities
EKS Capabilities are AWS-managed cluster features that replace self-managed Helm chart deployments. Capabilities are
configured via catalog mixins and deployed as part of the eks/cluster component.
| Capability | Type | Description |
|---|---|---|
| Argo CD | ARGOCD | Managed GitOps continuous deployment. Replaces self-managed Argo CD Helm chart. Integrates with AWS Identity Center for RBAC. |
| ACK | ACK | AWS Controllers for Kubernetes. Manage AWS resources (RDS, S3, DynamoDB, etc.) directly via Kubernetes CRDs. |
| KRO | KRO | Kube Resource Orchestrator. Provides resource composition and abstraction for Kubernetes. |
Capabilities are assigned per stage using catalog mixins:
| Stage | Mixin | Capabilities |
|---|---|---|
plat-dev | capabilities-all | Argo CD + ACK + KRO |
plat-staging | capabilities-argocd | Argo CD only |
plat-prod | capabilities-argocd | Argo CD only |
core-auto | (none) | No capabilities |
The Argo CD capability uses AWS Identity Center (IDC) for RBAC, with group mappings resolved dynamically from the
aws-sso component via !terraform.state. No manual ARN configuration is needed.
Storage
efs: Deploys an EFS Network File System with KMS encryption-at-rest. EFS is an excellent choice as the default block storage for EKS clusters so that volumes are not zone-locked.eks/efs-controller: Deploys the Amazon Elastic File System Container Storage Interface (CSI) Driver controller to EKS. The Amazon EFS CSI Driver implements the CSI specification for container orchestrators to manage the lifecycle of Amazon EFS file systems.
Additional Operators
external-secrets-operator: This component (ESO) is used to create an externalSecretStoreconfigured to synchronize secrets from AWS SSM Parameter store as Kubernetes Secrets within the cluster.
If you have an existing deployment that uses the self-managed Karpenter controller, ALB controller, or ALB ingress group components, the following changes apply:
| Old Component | Status | Replacement |
|---|---|---|
eks/karpenter (controller) | Removed | EKS Auto Mode manages node provisioning |
eks/alb-controller | Removed | EKS Auto Mode manages ELB |
eks/alb-controller-ingress-group | Renamed | eks/ingress-class |
eks/karpenter-node-pool | Updated to v3 | Still required for additional node pools |
For component upgrade details, see the UPGRADING.md in the karpenter-node-pool and ingress-class component repositories.